Summary

Goals

Provide default implementations of the Suite B cryptographic algorithms in the
JDK so that Java applications can meet appropriate security standards required
by the U.S. government, financial institutions, etc. Ensure that the
implementations in our various crypto providers are interoperable; e.g., if the
same algorithm is supported by both the SunPKCS11 and SunJCE providers then
basic testing should be done to ensure interoperability.

Most of the algorithms required by NSA Suite B are already supported by the JDK
by various crypto providers such as SunEC (ECDH key agreement, ECDSA
signature), SUN (SHA256, SHA384 message digests), SunJCE (AES cipher with
ECB/CBC/OFB/CFB modes), SunPKCS11 (depending on the native PKCS11 library; but
we may need to enhance the provider code to work with native
implementations). Also, for EC related algorithms, we need to make sure that
the required curves and parameters are supported.

Non-Goals

This enhancement will only cover the required NSA Suite B algorithms.
Following the NSA's guidance on the protocol level would be a separate effort.

Motivation

NSA Suite B cryptography has been approved by NIST for use by the
U.S. Government and specified in NIST standards and recommendations.

Description

In 2005 the NSA announced Suite B Cryptography, which built on the National
Policy on the use of the Advanced Encryption Standard (AES) to Protect National
Security Systems and National Security Information (CNSSP-15). In addition to
the AES, Suite B includes cryptographic algorithms for key exchange, digital
signatures, and hashing; specifically:

AES with 128-bit keys provides adequate protection for classified information
up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime
modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide
adequate protection for classified information up to the SECRET level. During
the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH,
DSA and RSA can be used with a 2048-bit modulus to protect classified
information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit
prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are
required to protect classified information at the TOP SECRET level. Since some
products approved to protect classified information up to the TOP SECRET level
will only contain algorithms with these parameters, algorithm interoperability
between various products can only be guaranteed by having these parameters as
options.

Another suite of NSA cryptography, Suite A, contains some classified algorithms
that will not be released. Suite A will be used for the protection of some
categories of especially sensitive information.

Protocol profiles will be developed to aid in the selection of options to
promote interoperability. NIST has developed an IPsec profile, NIST Special
Publication 500-267, "A Profile for IPv6 in the U.S. Government -- Version
1.0".

This JEP does not propose to implement this protocol guidance.

At the crypto provider level, the only implementations missing that need to be
supported are:

SUN/SunJCE/SunEC/SunPKCS11: Add oids for the supported algorithms.

SUN provider: Support DSA keysizes of (L, N) where L is bit length of p and
N is bit length of q: (2048, 224), (2048, 256). Support for the (3072, 256)
pair isn't included in this effort, but can be added later if the need
arises.

SunJCE provider: Support for AES cipher w/ GCM and CCM modes. (Note: This
is being tracked by a separate JEP, Support AEAD CipherSuites).

At the Java API level, we will need to add a DSA API to support both L/N and
pass to the underlying provider implementations. Currently, only L is
supported, e.g., DSAKeyPairGenerator.

Testing

Need to add:

Regression Tests: known-answer tests to validate the implementation of the
new algorithms,

Risks and Assumptions

Intellectual Property: A key aspect of Suite B Cryptography is its use of
elliptic curve technology instead of classic public key technology. In order
to facilitate adoption of Suite B by industry, NSA has licensed the rights to
26 patents held by Certicom, Inc., covering a variety of elliptic curve
technology. Under the license, NSA has the right to grant a sublicense to
vendors building certain types of products or components that can be used for
protecting national security information. More information is available
here.